RE: mod_authnz_ldap with wildcard certificate

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,
 
you are right... more details ...
I must also specify that apache in SSL (https) is working fine with these certificates ...I do not say this is an apache problem, but more on the ldap module and certainly on the libraries under ...
 
A) Apache
 
Syntax inside Apache :
     LDAPTrustedMode SSL
     LDAPTrustedGlobalCert CA_DER /etc/apache2/ssl.apa/Comodo_Apache.cer
In this case, this is the certificate (Since i am autehnticating against Novell edirectory, sometimes it requests the server certicate itself as the CA). But i also used the CA cert from Comodo and it's the same.
 
Error in apache log is only (and my server is available, of course):
[Fri Nov 13 07:37:53 2009] [warn] [client 192.168.10.171] [21099] auth_ldap authenticate: user fpe authentication failed; URI / [LDAP: ldap_simple_bind_s() failed][Can't contact LDAP server]
 
B) Tests with OpenLdap
 
ldap.conf is :
TLS_KEY /etc/openldap/certs/server.key
TLS_CACERT /etc/openldap/certs/cacert.txt
TLS_CERT /etc/openldap/certs/server.cer
TLS_CIPHER_SUITE HIGH:MEDIUM:+SSLv2
TLS_REQCERT never
Testing with :
 ldapsearch -H ldaps://myserver -D cn=binduser,ou=myou,o=idsa -W -x "(cn=thisobject)"
 
Doesn't work. Only by putting TLS_REQCERT never in ldap.conf i can use LDAPs (but without any cert validation in this case ... bad ;-()
 
hope this help. thx

>>> Emmanuel Bailleul <Emmanuel.Bailleul@xxxxxxxxxxx> 13.11.2009 08:40 >>>
>De : Francois Pernet [mailto:Francois.Pernet@xxxxxxx]
>Envoyé : vendredi 13 novembre 2009 07:00
>À : users@xxxxxxxxxxxxxxxx
>Objet : mod_authnz_ldap with wildcard certificate
>
>Hi all,
>
>Unable to use a wilcard certificate (*.domain.com from Comodo) with LDAP authentication >in Apache 2.2.3-16.25.4 in LDAPS. The authentication fails ...
>
>I verified that certificate contains :
>Subject : ....*.domain.com
>X509v3 Subject Alternative Name:
>                DNS:*.domain.com, DNS:domain.com
>Is there any known issue with wildcard certificates ?
>How proper should be the syntax in order to use it ?
>
>Thx in advance

Hi,
How can you be sure this is an Apache problem ? Did you try first "by hand" to perform for example an ldapsearch test ?
And would you show us snippets of your conf file(s) and especially of the Apache logs when it fails ?

Regards.

Emmanuel




---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx

[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux